Product Documentation

Configuring MDX Policies for Android Apps in App Controller

Aug 29, 2013

You can configure the following policies in App Controller 2.8 for apps that run on Android devices.

Policies to Limit App Interaction

Security Group
The name of security group to which the app belongs. Leave this field blank if you want all XenMobile App Edition managed mobile apps to exchange information with one another. Define a security group name to manage security settings for specific sets of apps (for example, Finance or Human Resources).
Cut and Copy
Blocks, permits, or restricts Clipboard cut and copy operations for the app. When you choose Restricted, the copied Clipboard data is placed in a private Clipboard that is only available to MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Document exchange (Open In)
Blocks, permits, or restricts document exchange operations for the app. When you choose Restricted, documents can be exchanged only with other MDX apps. Default is Restricted.

Options: Unrestricted, Blocked, or Restricted

Policies to Set App Restrictions

Disable diagnostic logging
If On, disables diagnostic logging. Default is On.
Block camera

Prevents access to the camera. Default is On.

Block mic record
Prevents access to the microphone for recording. Default is On.
Block location services
Prevents the use of location services (GPS or network). Default is On.
Block SMS compose
Prevents app use of SMS (compose). Default is On.
Block screen capture

Prevents or permits a user-initiated screen capture operation while the app is running. Default is On.

Block device sensor

Prevents or permits an app to use the device sensors, like accelerometer, motion sensor, or gyroscope. Default is On.

Policies for App Settings

The following policies establish email settings and apply to WorxMail and WorxWeb.

  • Background network services
  • Background services ticket expiration
  • Background network services gateway
WorxMail Exchange Server
The fully qualified domain name (FQDN) for Exchange Server. Default is empty.
WorxMail user domain
The default Active Directory domain name for Exchange users. Default is empty.
Background network services
The FQDN and of the ActiveSync server, such as servername:443. This might be an Exchange Server, either in your internal network or in another network that WorxMail connects to, such as mail.mycompany.com:4443. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. This policy is only available for WorxMail.
Background services ticket expiration
The time period that a background network service ticket remains valid. When WorxMail connects through NetScaler Gateway to an Exchange Server running ActiveSync, App Controller issues a token that WorxMail uses to connect to the internal Exchange Server. This property setting determines the duration that WorxMail can use the token without requiring a new token for authentication and the connection to the Exchange Server. When the time limit expires, users must log on again to Receiver to generate a new token. Default value is 168 hours (7 days). This policy is only available with WorxMail.
Background network services gateway
This is the NetScaler Gateway FQDN and port number with which WorxMail uses to connect to the internal Exchange Server. The format is "fqdn:port". In the NetScaler Gateway configuration utility, you must configure the Secure Ticket Authority (STA) and bind the policy to the virtual server. For more information about configuring the STA in NetScaler Gateway, see Configuring the Secure Ticket Authority on NetScaler Gateway. The default value is empty, implying that an alternate gateway does not exist. If you configure this policy, set the Network access policy to Tunneled to the internal network. This policy takes affect when you configure the network access policy. In addition, use this policy when the Exchange Server resides in your internal network or if you want to use NetScaler Gateway to proxy the connection to the internal Exchange Server. This policy is only available with WorxMail.

Policies to Address Authentication

Authentication
Determines if the app requires enterprise logon to run. Default is Offline access permitted after challenge.

Options:

  • Network logon. Requires Worx Home sign on to securely use the app. If you set the policy to require network logon, when users try to open an app, the following message appears: Sign on to Worx Home to securely use this app.
  • Offline access permitted after challenge. The app prompts for enterprise logon when possible, but allows offline use after the password challenge.
  • Offline challenge only. Allows the app to run with an offline password challenge.
  • Not required. Does not require user authentication.
Note: After the maximum offline period for the app expires, Receiver logon will be required regardless of the policy setting.
Maximum offline period (hours)
Defines the maximum period an application can run offline without requiring a enterprise logon for the purpose of entitlement and refreshing policies. Default is 72 hours (3 days).
Regardless of app logon requirements, this is maximum time between Receiver logons in order reconfirm entitlement and refresh policies. The minimum time you can configure is 1 hour. Users are reminded to log on at 30, 15, and 5 minutes before the period expires. After expiration, the app is locked until users log on.
Note: If the Authentication policy is set to Network logon, this setting is ignored with no offline access allowed.
Reauthentication period (hours)
Defines the period before a user is challenged to authenticate again. Default is 8 hours. A setting of 0 (zero) prompts for logon each time the app is started or reactivated.

Policies to Determine Device Security

Block jailbroken or rooted
The app is locked when the device is jailbroken (iOS) or rooted (Android). Default is On.

Options:

  • On. The app is locked when the devices is jailbroken or rooted.
  • Off. The app can run on a jailbroken or rooted device.
Require device encryption
If true, the managed application is locked if the device does not have encryption configured. If false, the app is allowed to run even if the device does not have encryption configured. Default is Off.
Require device pin or password
If true, the app is locked if the device does not have a PIN or password configured. If false, the app is allowed to run even if the device does not have a PIN or password set. Default is Off.
Require device pattern screen lock
If true, the app is locked if the device does not have a pattern screen lock configured. If false, the app is allowed to run even if the device does not have a pattern screen lock set. Default is Off.
Note: This policy is only enforced if theRequire device pin or password setting is Off.

Policies for Encryption

Encryption keys
Ensures that access to keys and the associated encrypted content. Default is Offline access permitted.

Option:

  • Offline access permitted. Android devices permit offline access only. Secrets used to derive encryption keys may be persisted on the device.
    Note: If you select Offline access permitted, Citrix recommends that you set the authentication policy to Offline challenge only in order to protect access to the keys and the associated encrypted content.
Private file encryption
Controls the encryption of private data files in the following locations: /data/data/appname and /mnt/sdcard/Android/data/appname. Default is Application.
Options:
  • Disabled. Encryption is turned off.
  • SecurityGroup. Encrypts private files by using a key shared by all MDX applications in the same security group.
  • Application. Encrypts private files using a key unique to the application.
Private file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the internal and external sandboxes. Default is empty.
Non-standard external storage locations
Contains a comma-separated list of non-standard external storage. Different devices may use different paths for SD cards and so on. The standard external storage location for Android (typically, /mnt/sdcard) is automatically recognized and does not need to appear on this list.
Access limits for public files
Contains a comma-separated list. Each entry is a regular expression path followed by (NA), (RO), or (RW). Files matching the path are limited to No Access, Read Only, or Read Write access. The list is processed in order and the first matching path is used to set the access limit. Default is empty.
Public file encryption
Controls the encryption of public files. Default value is Security group.
Options:
  • Disabled. Does not encrypt public files.
  • Security group. Encrypts public files by using a key shared by all MDX applications in the same security group.
  • Application. Encrypts public files using a key unique to this application.
Public file encryption exclusions
Contains a comma-separated list of file paths. Each path is a regular expression that represents one or more files that should not be encrypted. The file paths are relative to the default external storage and to any explicitly listed external storage.
Public file migration
This policy is enforced only when public file encryption is enabled (changed from the Disable option tothe SecurityGroup/Application option). This policy is applicable only to existing, unencrypted public files and specifies when these files are encrypted. Default value is Write(WO/RW).
Note: New files or overwriting existing unencrypted files encrypts the replacement files in every case.
Caution: Encrypting an existing public file makes the file unavailable to other applications that do not have the same encryption key.
Options:
  • Disabled. Does not encrypt existing files.
  • Write (RO/RW). Encrypts the existing files only when they are opened for write-only or read-write access.
  • Any. Encrypts the existing files when they are opened in any mode.

Policies for Miscellaneous Situations

App update grace period (hours)
Defines the grace period during which users may use an app after the system has discovered that an app update is available. Default is 168 hours (7 days). If 0, the update must be applied immediately.
Note: Citrix recommends using a value other than zero (0). A zero (0) value would immediately prevent users, without warning, from using a running app until they download and install the update. This could lead to a situation in which users are forced to exit the app and potentially losing work.
Auth failures before lock
Locks the app after the specified number of consecutive offline logon failures and prompts user to log on. Default is 5 failures. If you enter 0, the app does not lock no matter how many times users enter incorrect credentials
Erase app data on lock

Erases data and resets the app when the app is locked. Default is Off.

Options:

  • On. App data is automatically erased when the app is locked.
  • Off. App data is not erased automatically when the app is locked.

An app can be locked for any of the following reasons:

  • Loss of app entitlement for the user.
  • Removal of app subscription.
  • Removal of Receiver account.
  • Uninstallation of Receiver.
  • Too many app authentication failures.
  • Rooted device and policy restricting the app to run on such a device.
  • Other administrative action to lock device.
Active poll period (minutes)
Determines how often XenMobile App Edition is polled to determine the current app (enabled or disabled) and device (lock or erase) status. When a device has network connectivity, polling allows the running app to detect and respond to changes in the app state. Default is 60 minutes (1 hour).
Important: Only set this value lower for high-risk app or performance may be affected.

Policies on Network Access and Requirements

Network access

Prevents, permits or redirects app network activity. App blocks network use or restricts it to an application-specific tunnel gateway. Default is Blocked.

Options:

  • Unrestricted. Allows unrestricted access to the internal network.
  • Blocked. When blocked, the app behaves as if the device has no network connection. All network access is blocked.
  • Tunneled to the internal network. A per-app VPN tunnel through NetScaler Gateway to the internal network is used for all network access.
    Note: This setting requires Receiver logon.
Require WiFi

Determines if the device requires a WiFi connection in order for an app to run. Default is Off.

Options:

  • On. The app is locked when the device is not connected to a WiFi network.
  • Off. The app can run even if the device does not have an active WiFi connection, such as 4G/3G or a LAN connection.
Require internal network

The app requires a connection to a network within the organization. Default is Off.

Options:

  • On. The app is blocked when the device is not connected to an internal network.
  • Off. The app can run from an external network.
Internal WiFi networks
The app requires a connection to one of the specified wireless networks. Separate the network Service Set Identifier (SSID) with commas. The default is an empty list. If the list is empty it indicates that users can connect to any internal WiFi network. If users log on from an external network (or they are not logged on), this policy is not enforced.